mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 08:59:31 +01:00
Improvement for testing curves with several openssl / libressl versions
As noted in #2016 the detection of curves in find_openssl_binary()
was not yet perfect.
This commit removes another connect call. Also it corrects the port statement
for LibreSSL-like pre-checks as port 0 generally seems to me better suited.
Inline documentation was added.
It worked so far with OpenSSL 1.0.2, 1.1.1 and 3.0 and LibreSSL 3.4.
This is for 3.0. Similar commit (a11bd1585e
)
was for 3.1dev, see PR #2020 .
This commit is contained in:
parent
25a8579a5a
commit
1b2903e7ac
10
testssl.sh
10
testssl.sh
@ -17090,14 +17090,20 @@ find_openssl_binary() {
|
|||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
|
||||||
|
|
||||||
if $OPENSSL s_client -curves "${curves_ossl[0]}" -connect $NXCONNECT 2>&1 | grep -aiq "unknown option"; then
|
# The following statement works with openssl 1.0.2, 1.1.1 and 3.0 as LibreSSL 3.4
|
||||||
|
if $OPENSSL s_client -curves 2>&1 | grep -aiq "unknown option"; then
|
||||||
|
# This is e.g. for LibreSSL (tested with version 3.4.1): WSL users will get "127.0.0.1:0" here,
|
||||||
|
# All other "invalid.:0". We need a port here, in any case!
|
||||||
|
# The $OPENSSL connect call deliberately fails: when the curve isn't available with
|
||||||
|
# "getaddrinfo: Name or service not known", newer LibreSSL with "Failed to set groups".
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:8443 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
|
$OPENSSL s_client -groups $curve -connect ${NXCONNECT%:*}:0 2>&1 | grep -Eiaq "Error with command|unknown option|Failed to set groups"
|
||||||
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
HAS_CURVES=true
|
HAS_CURVES=true
|
||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
|
# Same as above, we just don't need a port for invalid.
|
||||||
$OPENSSL s_client -curves $curve -connect $NXCONNECT 2>&1 | grep -Eiaq "Error with command|unknown option"
|
$OPENSSL s_client -curves $curve -connect $NXCONNECT 2>&1 | grep -Eiaq "Error with command|unknown option"
|
||||||
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
|
||||||
done
|
done
|
||||||
|
Loading…
Reference in New Issue
Block a user